Analysis Overview
SHA256
0f40b111497b78b928a42f3c4f2e0c988be7ee5b3b0d523300685b75a2aadf06
Threat Level: Known bad
The file LummaC2-corps.exe.bin was found to be: Known bad.
Malicious Activity Summary
Detect Lumma Stealer payload V2
Lumma family
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Unsigned PE
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-30 22:18
Signatures
Detect Lumma Stealer payload V2
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Lumma family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-04-30 22:18
Reported
2023-04-30 22:35
Platform
win10v2004-20230220-en
Max time kernel
135s
Max time network
153s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\LummaC2-corps.exe
"C:\Users\Admin\AppData\Local\Temp\LummaC2-corps.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 8.238.179.126:80 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 52.182.141.63:443 | tcp | |
| NL | 8.238.179.126:80 | tcp | |
| NL | 8.238.179.126:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 131.253.33.203:80 | tcp | |
| US | 8.8.8.8:53 | 2.77.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-30 22:18
Reported
2023-04-30 22:34
Platform
win7-20230220-en
Max time kernel
30s
Max time network
33s
Command Line
Signatures
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Processes
C:\Users\Admin\AppData\Local\Temp\LummaC2-corps.exe
"C:\Users\Admin\AppData\Local\Temp\LummaC2-corps.exe"
Network
| Country | Destination | Domain | Proto |
| BG | 195.123.226.167:80 | tcp | |
| BG | 195.123.226.167:80 | tcp | |
| BG | 195.123.226.167:80 | tcp | |
| BG | 195.123.226.167:80 | tcp | |
| BG | 195.123.226.167:80 | tcp | |
| BG | 195.123.226.167:80 | tcp | |
| BG | 195.123.226.167:80 | tcp | |
| BG | 195.123.226.167:80 | tcp | |
| BG | 195.123.226.167:80 | tcp | |
| BG | 195.123.226.167:80 | tcp |